What is two factor authentication?
Two-factor (2FA) or multi-factor authentication (MFA) is an additional security layer for your business – helping to address the vulnerabilities of a standard password-only approach. Back in the early days of authentication, organisations were reliant on hardware tokens to generate a secure passcode. The type you’d associate with online banking. But that solution was clumsy and prone to unforeseen expenses – with tokens frequently lost, broken or expiring.
Modern tokenless systems use mobile devices to make roll-out and management much easier. Here at SecurEnvoy, we brought the first-ever tokenless two-factor authentication product to market. Our system employs a user’s device, with passcodes generated locally or delivered via SMS, voice calls, secure emails or via an app. The approach is supremely secure, and extremely cost effective too.
Why don’t more people use two-factor authentication?
Even the simplest cybersecurity suggestion can be challenging for the average person to embrace.
Not everybody wants to pay for or set up a virtual private network or use a password manager. But there’s one simple, cheap technique you can employ called two-factor authentication, which protects your account if hackers ever steal your password.
Chances are, you’re already using a form of it. When you pay for an item with a debit card and are asked to enter a PIN code after swiping, that’s two-factor authentication. It’s ultimately just using two ways of proving your identity, most commonly a password and then a code sent to your phone.
Two-factor authentication is one of the easiest ways to prevent hackers from hijacking your accounts. And at a time when hacks of retail chains like Chipotle, websites like Yahoo or credit-check bureaus like Equifax happen with a startlingly high frequency, it’s a practice you should start making a habit.
Yet, it’s still a long way from widespread adoption, researchers from Indiana University said at the Black Hat security conference on Thursday. Indiana University Professor L. Jean Camp and Sanchari Das, a doctoral student at Indiana University Bloomington, conducted a study of 500 people to find out why the simple security measure isn’t popular, despite its benefits and ease.
For their research, they purposely sought out tech-savvy students on campus to make sure the result wasn’t affected by people who just didn’t understand what two-factor authentication is. They wanted participants who had more security and computer expertise than the average person.
What they found was that while these students understood technology, they didn’t understand why they needed to take this cybersecurity precaution.
“There was a tremendous sense of confidence,” Camp said. “We got a lot of, ‘My password is great. My password is plenty long enough.'”
Many who do use two-factor authentication rely on an SMS version of it, where a PIN code is texted to their phones. But it’s not as safe as using a physical security key for two-factor authentication, because text messages can still be intercepted, like what happened with Reddit on Aug. 1.
“We learned that SMS-based authentication is not nearly as secure as we would hope, and the main attack was via SMS intercept,” Christopher Slowe, Reddit’s chief technology officer, said in a post.
Camp said many of the students in the study didn’t feel like they’d ever be hacked and didn’t see a need for two-factor authentication — notions the majority of the US population might share.
So what are the challenges with two factor authentication?
In a survey published last November, Duo Security found that less than one-third of Americans are using two-factor authentication, while more than half of Americans had never even heard of it.
In January, a software engineer from Google revealed that less than 10 percent of Gmail accounts were using two-factor authentication.
Camp and Das suggested that the best way to get more people to use two-factor authentication would be to better communicate the risks. The same way “Smoking Kills” signs next to cigarettes drive the point home, websites and apps should let users know that a strong password might not be enough.
It doesn’t matter how long your password is — most login information is stolen in database breaches where hackers can just copy and paste passwords. That’s why two-factor authentication is a useful second line of defense.
The two researchers sent this suggestion to Google and Yubico, a security company that provides two-factor authentication with a physical key you plug into your USB port. Gmail, Facebook and Twitter are among the many websites that allow for Yubikey as another form of identification.
So far, it hasn’t been enough.
“There is an additional step in usability, which is motivation,” Camp said. “You can enjoy driving the car, but you’re not going to enjoy putting on your seat belt. You have to communicate, ‘If I’m taking this hassle, it’s for my own good.'”
Are people using two factor authentication?
The lack of interest is a real challenge for the folks at Google and Yubico. They want to make sure their users are safe, but few people are actually using their security measures.
Google introduced its own security key on July 25, but the company understands that people aren’t lining up around the block to get two-factor authentication. It knows that the majority of people on Google aren’t using the key, but it’s hoping to change that.
Sam Srinivas, a product management director for information security at Google, expects things to shift very soon.
“It’s still in the early days,” Srinivas said. “The message has not gone out as to what the real risks of phishing are, but I think we’re at the tipping point.”
Here at 101FM we using the MYOB accounting program and they have introduced two factor authentication. The user logs into MYOB with their username & password and is then prompted to enter the two factor authentication password. The user downloads an app on their phone, Google Authenticator, which generates a password every 60 seconds which the user enters into the MYOB program. Other websites such as MyGov use a similar system where the user downloads the MyGov app which generates the password to login to the MyGov website.
As more high-profile phishing attacks continue to make headlines, like hackers stealing $2.4 million from a Virginia bank with phishing emails, more people will understand the risks, he said.
The challenge is getting rid of a false sense of security, Stina Ehrensvard, Yubico’s CEO and founder, said at Black Hat.
She said account takeovers don’t happen when a person has a security key, but people don’t feel they’re at risk until it’s too late.
“Most people that have had their accounts hacked end up using two-factor authentication,” Ehrensvard said. “The ones who haven’t are thinking, ‘Oh, it’s not going to happen to me.'”
But the company isn’t going to wait until everyone has been hacked to adopt security keys. Ehrensvard said Yubico has made several efforts to spread the word about security keys, like setting up workshops and awareness programs.
The company has worked with political campaigns, news organizations, financial institutions and government agencies in the last few years, she said. The adoption rate might be slow, but Ehrensvard isn’t worried.
“There is no other authentication technology out there that has as good of a return on investment,” she said. “But there is a perception problem.”
What is two factor authentication for Apple ID?
With two-factor authentication, your account can only be accessed on devices you trust, like your iPhone, iPad, or Mac. When you want to sign in to a new device for the first time, you’ll need to provide two pieces of information—your password and the six-digit verification code that’s automatically displayed on your trusted devices. By entering the code, you’re verifying that you trust the new device. For example, if you have an iPhone and are signing into your account for the first time on a newly purchased Mac, you’ll be prompted to enter your password and the verification code that’s automatically displayed on your iPhone.
Because your password alone is no longer enough to access your account, two-factor authentication dramatically improves the security of your Apple ID and all the personal information you store with Apple.
Once signed in, you won’t be asked for a verification code on that device again unless you sign out completely, erase the device, or need to change your password for security reasons. When you sign in on the web, you can choose to trust your browser, so you won’t be asked for a verification code the next time you sign in from that computer.